[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAPv3: The OpenLDAP/Kerberos/SASL soup (was Kerberos and DIGEST-MD5)

Howard Chu wrote:

Jose Gonzalez Gomez wrote:

          o Of course, make use of TLS/SSL if you are planning to
            provide simple bind authentication. You don't want to blow
            out your whole Kerberos security having those passwords
            floating around your network, do you?

This is a strong argument against supporting Simple Binds at all, when using Kerberos.

I agree with you, but few, if not none of the most popular software you need to give access to OpenLDAP support nor GSSAPI neither SASL when authenticating against an LDAP directory. I'm thinking of mail clients (mozilla, outlook,...) that use LDAP as a source for their address books. Unfortunately you must give access to them, and in some cases you need to authenticate the user accessing the directory so you may decide what information she may see.

Anyway, OpenLDAP doesn't completely implement the whole
      LDAPv3 standard, so maybe we won't miss DIGEST-MD5 that much until
      there is an easier way of doing it...

Since LDAPv3 is an extensible protocol, I'm not sure what this statement means.

I just wast joking. I'm still trying to decide what would be the best combination of software/config to offer as much services as possible, so I was trying to include DIGEST-MD5 authentication in the whole picture. SASL/GSSAPI and simple bind are really straight forward to setup once you get all the pieces together, but it seems that DIGEST-MD5 is not so simple to setup right now, so I will give up (by now) to include it in my environment.

   Best regards